Overview

Microsoft releases DANE support

Microsoft has officially released support for DANE/TLSA for their Office 365 Exchange Online services.

Microsoft had already announced DANE and DNSSEC support for Microsoft Office 365 Exchange Online as early as April 2020, but has now started rolling out the technology for its customers.

Microsoft plans to roll out support in 2 phases: the first phase is to enable DANE support for outbound email, meaning that Microsoft email services will check and validate TLSA records for external SMTP services they are delivering email to. The second phase will be enabling DANE support for inbound email, where Microsoft will add TLSA records for their email services.

With DANE it is possible to protect email services from downgrade and man-in-the-middle attacks by pinning the TLS certificate in a TLSA DNS record. Read more on DANE in our knowledge base article.

Customers using Microsoft Exchange Online do not have to change any DNS settings to, as the TLSA records are maintained under the Microsoft domains. According to the release statement, DANE support for outbound email (phase 1) is currently being released 'slowly' and should be fully deployed by March 2022.

SMTP TLS reporting also supported

In addition to Microsoft releasing TLSA validation for outbound email, they also released DANE reporting within their SMTP TLS reporting (rfc8460) services.

As an SMTP TLS reporting aggregation service, Mailhardener has already observed the first TLSA type reports originating from Microsoft, only days after the announcement.

screenshot showing SMTP TLS report with a DANE related error in the Mailhardener dashboard
Example of an SMTP TLS report with a DANE error in the Mailhardener dashboard. (Disclaimer: fictional data for demonstration purpose, not an actual report)

DANE support now fully integrated in Mailhardener

Coincidentally, during the same week as the release from Microsoft, Mailhardener has officially launched TLSA/DANE support for our customers as well.

screenshot showing an example domain with DANE support
Example of a domain with DANE/TLSA enabled in the Mailhardener dashboard

You can now use Mailhardener to monitor TLSA/DANE status of inbound email services.

Conclusion

We are happy to see a large email provider such as Microsoft to move forward on hardening email for their customers.

DANE/TLSA is a technology that can improve email security for customers with very little to no effort required by the customer.

Though the effectiveness of DANE and DNSSEC is disputed by some, it is proving to be an effective hardening technique for email.

With Mailhardener you can configure, validate and monitor your domain for all aspects of email hardening. Mailhardener is free to evaluate for a single domain.
Sign up now